applying gpo active directory

we have 6 domain controllers. on the domain controllers OU there is a default domain controller policy and a policy that we created is applied. in the policy that we created we have changed the permissions to the windows\tasks folder to read only for everyone. this was to counter the conflicker virus as recommdnded my microsoft. now on one of the domain controlers we want to be able to create tasks. so i added one dc for example dc2 to the security tab of the group policy that we created and denied permissions to read and apply group policy. the GPresults displays the policy is not applying.

the changes done by the policy are still retained. so as i understand the only way to grant read/write permissions to users is by applying another policy and enable it. i created another policy in which i have added the file in the computer settings/windows settings/file permissions. added windows/tasks and gave permissions. now when i link the policy to the domain controllers ou. i want to refresh this server manually and then unlink the policy so that other dc's are not affected. i did this and gpresult says the policy is not applied. it says it is filtered.

how do i get this one dc have read/write permissions on the tasksfolder.

can i do this, for example, create an OU. liink the policy which rolls back the changes to the new OU. move dc to this OU. update the policy then move it back to the original OU.

I wouldn't move the DC out of the Domain Controllers OU. Just create the new GPO with the required relaxed permission, and link it the the same OU as all the DCs.
Then apply security filtering so that only the one DC can read and apply this policy. Then set this GPO's precedence so it is above the other policy restricting the permissions. That way it's settings will over-rule the existing GPO, but will only apply to the one DC.

ok i have created the policy, when i am applying it it sdays it is not applied because it is filtered. could you elabarate on security filtering. on the security tab of the gpo there are authenticate dusers, creater owner, domain admins,enterprise admins etc. so do you mean to say i add other dc's on which i do not want this policy to be applied to add it to the security and deny the permission appli group policy.

In the GPMC, select the group policy object on the left hand side of the window. On the right hand side, select the 'Scope' tab.
The second section, Security Filtering, defines who can apply the GPO. Remove the 'Authenticated Users' group from here, and add in the computer account for the DC you want the settings to apply to, so just it can read the GPO. This basically writes back to the Security tab, applying the correct permissions. When you add the computer, you will have to click 'Object Types' and tick 'Computers' to allow you to add computer accounts to the security filtering. As long as only this DC is in the list, nothing else, then only it can read and apply the GPO.
Then, after you link the GPO to the OU holding the DCs, click on the OU in the GPMC. Check the 'Linked Group Policy Objects' tab and ensure that the new GPO is higher in the list than the old one.
Run 'gpupdate /force' on the DC and then check gpresult. All being well your new settings should apply.

The recommended policy was to control the conflicker from spreading, it should be a temperorary usage. Once you have your conflicker cleaned and patch, you can remove the GPO. Also, since you have only 6 DCs, why not just scan and patch KB958644 on those domain controllers so that you don't have to worry about the GPO link to DCs. For the worksations and member servers, you create the GPO to prevent conflicker from spreading because you have so many machines to path and may take some time and therefore Microsoft recommended that this GPO can be used to prevent conflicker from spreading to other machines but not patch should be applied. Also this GPO has a step that you have to be careful not to apply to DCs as it will create more problem for you. So, my suggestion is simply apply the patch to the DCs this way you don't have to GPO the DCs. You may consider link the GPO to workstaion and servers if you have a separate OU of each and have not complete the security path to all the system yet.

well believe me in spite of having the patch, many servers including dc's had tasks created on a daily basis hence this gpo. we have a very big setup and while the gpo is in effect the security team is working towards cleaning up the vrus issues as we have computers not part of the domain, remote users, branches etc. so we will ultimately remove the gpo but presently it is in use. i agree with you completely that microsoft has suggested to have this policy in place till the virus had been cleaned up. but this patch dosent solve this issue.

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008.
Determine the location of the FSMO roles by lo…

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…